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Seeing the Big Picture of Mishaps 


Applying the AcciMap Approach 
to Analyze System Accidents 


Kate Branford 
Dédale Asia Pacific, Albert Park, Australia 


Abstract. The analysis of major accidents in safety-critical systems requires a “big-picture” approach, with 
the capacity to accommodate contributing factors from within the organisations involved and from 
dysfunctional interactions between different parts of the broader system. Rasmussen’s AcciMap approach is 
useful in this regard, as it illustrates how multiple factors throughout the system combined to produce an 
accident. This article describes the application of this technique to the Uberlingen mid-air collision and draws 
on this application to discuss the benefits of the AcciMap Approach. These include its capacity to incorporate 
contributing factors from all system levels and illustrate their interrelationships succinctly; to depict the 
activities of front-line workers within the context in which they occurred; and to aid safety recommendation 


development. 
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The nature and scope of accident analysis techniques has 
begun to change in recent decades in recognition of the 
increasing complexity and integration of safety-critical sys- 
tems. Today investigations of major accidents in these sys- 
tems frequently reveal a variety of contributing factors, 
stemming both from within the affected organization and 
from extemal organizations whose activities are intercon- 
nected. In addition, more and more accidents are occurring 
not as a result of component failures but as a result of unan- 
ticipated interactions between nonfailing components and 
benign activities throughout the system (Leveson, 2004; 
Snook, 2000). An example was the accidental shooting 
down of two US Army Black Hawk helicopters by US 
Air Force F-15 fighter aircraft in 1991, which occurred pri- 
marily as a result of integration and coordination deficien- 
cies between cooperating organizations, without any major 
equipment failures or unusual operator behaviors taking 
place (Snook, 2000). Techniques for analyzing these events 
require a “big-picture” approach, with the capacity to 
accommodate contributing factors both from within different 
parts of the sociotechnical system and from interactions 
between them. 

Several theories and analysis techniques have emerged 
in an effort to better understand and model accidents in this 
way, including Leveson’s (2004) systems-theoretic accident 
model and processes (STAMP) model, Snook’s (2000) the- 
ory of practical drift, various applications of Reason’s 
(1997) model of organizational accidents, and Rasmussen’s 
AcciMap approach. Rasmussen’s technique is particularly 
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useful for this purpose because it compiles the multiple fac- 
tors that contributed to an accident in a causal diagram that 
illustrates how they interacted to produce that outcome. This 
article outlines Rasmussen’s theory of accident causation 
and the AcciMap approach. It then describes the application 
of this technique to the analysis of the Uberlingen midair 
collision of 2002, to highlight the features and benefits of 
this big-picture approach. 


Rasmussen’s Theory 
of Accident Causation 


Rasmussen (1997) regards accidents in complex sociotech- 
nical systems as the result of a Joss of control over poten- 
tially hazardous work processes, and views safety as 
requiring “control of work processes so as to avoid acciden- 
tal side effects causing harm to people, environment, or 
investment” (p. 184). He views the system for controlling 
these processes as consisting of several levels: 


e a government level, at which laws and legislation are 
developed to formalize the control over hazardous 
processes; 

e a level of regulators and associations, where this legis- 
lation is converted into industry rules and regulations; 

e a company level, where regulations are integrated into 
company rules and policies; 
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e a management level, where staff activities are directed 
and overseen with reference to these rules and policies; 
and 

e staff and work levels, where the activities immediately 
related to the control of hazardous processes occur 
(Rasmussen, 1997; Vicente & Christoffersen, 2006). 


These levels are connected by the flow of decisions and 
information, with decisions propagating downward in the 
form of laws, regulations, and policies, and with information 
about the actual status of the system propagating upward. 
This exchange is essential for safety because, if directions 
from the higher levels are not followed or system informa- 
tion is not conveyed upward, control over hazards can be 
lost (Vicente & Christoffersen, 2006). In this way, safety 
depends not only on the activities of workers who interact 
directly with the hazardous processes, but on the activities 
of individuals at every level in the system and on the inter- 
actions between these levels (Vicente & Christoffersen, 
2006). An important additional consideration is that these 
levels are not stable; each is constantly adapting in response 
to external influences such as political, financial, and techno- 
logical circumstances. Maintaining control is therefore a 
dynamic process, involving the entire sociotechnical system 
(Svedung & Rasmussen, 2002). 

Rasmussen (1997) describes a process of migration to 
explain how accidents can occur in this context. Within a com- 
petitive environment, people throughout the system are under 
pressure to work in a cost-effective manner. This cost gradient 
pushes workers, and the system as a whole, toward efficiency 
and away from the “boundary to economic failure” (see 
Figure 1). At the same time, an effort gradient directs them 
away from unacceptable workloads and toward easier ways 
to work. As a result of these pressures, work practices go 
through a migration process, as workers throughout the sys- 
tem seek a balance between effort and cost-effectiveness in 
their work (Vicente & Christoffersen, 2006). The result is 
movement toward the “boundary of functionally acceptable 
performance” and, when this boundary is crossed, accidents 
can occur (Rasmussen, 1997). 

The problem is that individuals cannot judge where the 
safety boundaries relevant to their activities actually lie, 
because the location of these boundaries depends on the deci- 
sions and activities of other people, at different times, in differ- 
ent parts of the system. The effectiveness of the system 
defenses protecting one individual is dependent on the extent 
to which the defenses have been violated by others in the sys- 
tem and the extent to which redundant and overlapping 
defenses are intact, neither of which are visible to workers 
(Rasmussen, 1997). The actual boundaries of safe perfor- 
mance (see Figure 1) only become visible after they have been 
crossed and an accident occurs. At this point, the relationship 
between the independent activities of the different individuals 
becomes clear, and degradation in safety that may have been 
occurring over a number of years is revealed (Rasmussen, 
1997; Svedung & Rasmussen, 2002). 

Rasmussen (1997) notes that, when accidents occur, “the 
stage for an accidental course of events” has usually been 
developing, over time, through the efforts of workers 
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Figure 1. Migration toward safety boundaries. Adapted 
from “Risk management in a dynamic society: A mod- 
elling problem,” by Rasmussen (1997). Copyright 1997 
Elsevier Science. Reprinted with permission. 


throughout the system to work efficiently and cost-effec- 
tively. Often, it is a “quite normal variation in somebody’s 
behaviour” that ultimately “releases” the accident 
(p. 190). Frequently, that individual will not understand 
what has happened because this behavior was not particu- 
larly different from past behaviors that had no negative 
effects (Vicente & Christoffersen, 2006). This decision or 
action is often viewed as a primary cause of the accident 
even though it is likely that, had this factor not “released” 
the accident, another would have. For this reason, Rasmus- 
sen and Svedung (2000) suggest that explanations of system 
accidents should not focus on the actions or errors that trig- 
gered the event, but on the broader sociotechnical context in 
which these events unfolded. 


The AcciMap Approach 


The AcciMap approach was developed by Rasmussen as a 
means of modeling this sociotechnical context to identify 
the combination of events and decisions that produced an 
accident. For Rasmussen, the AcciMap is part of a broader 
proactive risk management process for generalizing from 
multiple accidents to devise risk management strategies 
(Rasmussen & Svedung, 2000). However, the approach 
has also been used as an independent accident analysis tech- 
nique in a variety of domains, including aviation, rail, public 
health, and gas production (Hopkins, 2000, 2005; Royal 
Australian Air Force [RAAF], 2001; Vicente & Christoffer- 
sen, 2006). The technique involves the construction of a 
causal diagram, which maps the multiple contributing fac- 
tors to an accident and their interrelationships onto the levels 
of the sociotechnical system. In doing so, the AcciMap dia- 
gram depicts the context within which the accident occurred 
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and the interactions that resulted in that event. To illustrate 
the features of this big-picture approach, the next section 
describes an application of the AcciMap approach to a major 
aviation accident — the Überlingen midair collision of 2002.' 


The Uberlingen Mid-Air Collision 


The information in the following sections is derived from 
the accident investigation report issued by the German 
Federal Bureau of Aircraft Accidents Investigation 
(Bundesstelle fiir Flugunfalluntersuchung [BFU], 2004). 


Accident Summary 


On the evening of July 1, 2002, a Tupolev TU154M flying 
from Moscow to Barcelona and a Boeing B757-200 en route 
from Bergamo to Brussels collided near the town of 
Uberlingen, Germany. Both aircraft were destroyed, and 
none of the 71 people on board the two aircraft survived. 

At the time of the collision, both aircraft were under the 
control of the area control center (ACC) in Zurich. There 
was only one controller in the control room, as the second 
controller was resting in the lounge. This practice was stan- 
dard for the night shift once traffic flow decreased and was 
known to, and tolerated by, management. The controller was 
handling the two aircraft on one workstation, on one fre- 
quency. He was also using an adjacent workstation and fre- 
quency to handle the unexpected arrival of a delayed Airbus 
A320 on approach to Friedrichshafen. In order to communi- 
cate with the three aircraft on the two frequencies, he had to 
switch back and forth between the two workstations, which 
caused him to miss some transmissions. 

Modification work was underway on sectors of upper 
airspace that evening, and, as a result, the radar was operat- 
ing in fallback mode. In this mode, there was no automatic 
correlation of the flight targets and no visual short-term con- 
flict alert (STCA) to provide a visual alert of separation 
infringements. In addition, the main telephone system for 
communicating with neighboring air traffic control (ATC) 
centers was nonfunctional. The bypass system was avail- 
able, but a technical fault had occurred in that system, which 
meant the controller could not establish contact with 
Friedrichshafen. 

The Tupolev crew first contacted the controller at 
9:30:11 p.m. At that time, the Boeing and Tupolev were 
at the same flight level and 64 nautical miles (NM) apart. 
The controller did not notice the potential conflict at this 
point and therefore did not take action to remedy it. 
At the time, he was working on the adjacent workstation, 
and his attention was focused on trying to contact Friedrich- 
shafen, as the A320 was approaching the hand-off point. 


He made repeated attempts to call Friedrichshafen, which 
failed due to the bypass system fault and occupied his con- 
centration at this critical time. In the final minutes leading up 
to the collision, a number of events occurred in rapid succes- 
sion. These are described in Table 1. 


AcciMap of the Uberlingen Accident 


Figure 3 shows an AcciMap depicting the multiple events 
and conditions that interacted to result in this accident. 
The analysis was performed using the AcciMap process 
and format described by Branford (2007) and Branford, 
Naikar, and Hopkins (2009)? The outcomes, in this 
instance, the collision and resulting fatalities and hull losses, 
are shown at the bottom of the diagram, with the contribut- 
ing factors branching upward. The contributing factors are 
factors that were necessary for the accident to occur — that 
is, “had they been otherwise, the accident would (probably) 
not have occurred” (Branford et al., 2009, p. 206). The fac- 
tors depicted as rectangles are those contributing factors that 
are of practical significance — that is, those which could 
conceivably, and usefully, be addressed through appropriate 
remedial action. The factors depicted as ovals represent the 
other category of contributing factor that is included in 
AcciMaps, namely, those that are not of practical signifi- 
cance but are necessary for making sense of the accident 
scenario. These are factors that contributed to the accident 
but cannot usefully be avoided, either because it would 
not be sensible, or because it would be impractical or impos- 
sible to do so (Branford et al., 2009). Examples include the 
unexpected arrival of the delayed A320 and the airspace sec- 
torization modification, because these are necessary for 
describing the event sequence but are not inherently hazard- 
ous and do not require prevention. 

The contributing factors are arranged into levels, broadly 
reflecting those of Rasmussen’s control system. The level 
above the outcomes describes the immediate precursors to 
the collision, relating to both physical conditions and the 
activities of the front-line individuals. This level includes 
the physical system factors that contributed to the event, 
such as the bypass system fault and radar limitations, as well 
as the human activities and conditions that resulted in the 
outcome, such as the controller’s late detection of the con- 
flict situation and the Tupolev crew’s decision to follow 
the controller’s instructions over a resolution advisory issued 
by the on-board traffic alert and collision avoidance system 
(TCAS). The organizational factors (e.g., operations manual 
discrepancies relating to TCAS, and the ACC Zurich’s defi- 
ciencies regarding staffing at night) are depicted at the next 
level. Factors external to the organizations involved, specif- 
ically those relating to international regulations and national 
procedures, are shown in the external level. In this way, the 
contributing factors are arranged in terms of their causal 


See Branford (2007) for discussion of the advantages and limitations of this approach. 
See Branford et al. (2009) for full details of this process, including step-by-step instructions for performing an AcciMap analysis. 
While these factors themselves are not of direct practical significance, because nothing can sensibly be done to avoid them, the way in 


which they are planned for and managed is of practical significance. Thus factors relating to organizational risk management and processes 
for handling unusual situations and system degradation are depicted as rectangles in Figure 3. 
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Table 1. Final seconds leading up to the collision 


Timing Events 

At 9:33:18 p.m... The Tupolev crew saw the approaching aircraft on the traffic alert and collision avoidance 
system (TCAS) display and attempted to establish its position. 

6 s later... A controller at ATC Karlsruhe was alerted to the potential conflict by an STCA alarm. 


However, his 11 attempts to warn the Zurich controller failed because he could not establish a 
phone connection. He was not aware of the airspace sectorization modification being 


undertaken at the time. 


1 min, 18 s later... 


“traffic, traffic.” 


TCAS* on both the Tupolev and the Boeing aircraft warned the crews of conflicting traffic: 


The Zurich controller, having just noticed the potential conflict situation for the first time, 


not acknowledged: “descend level 350, expedite descend.” The Tupolev acknowledged the instruction, 


The controller did not know that the Boeing was also descending because the radar image had not yet 


The Boeing crew reported their TCAS descent to the controller. However, the controller did not receive 


TCAS on the Tupolev advised the crew to increase the rate of climb: “increase climb, increase climb.” 


7 s later... 
instructed the Tupolev to descend to flight level 350: “descend flight level 350, expedite, I have 
crossing traffic.” The Tupolev crew immediately began to descend. 

The controller observed that the Tupolev had initiated descent and, considering the conflict 
situation resolved, moved back to the adjacent monitor and returned his attention to the A320, 
which had just contacted him on the other frequency. 

7 s later... TCAS on the Boeing issued a resolution advisory to descend: “descend, descend.” 

TCAS on the Tupolev issued a resolution advisory to climb: “climb, climb.” 

The Boeing crew responded appropriately by switching off the autopilot and initiating descent. 
Rather than adhering to the TCAS resolution advisory as expected, the Tupolev crew continued 

to descend, following the ATC instruction, but did not acknowledge the instruction due to confusion 
in the cockpit about the conflicting messages: 

Copilot: “It [TCAS] says climb” 

Pilot in command: 

“He [ATC] is guiding us down” 

Copilot: “Descend? ” 

While ICAO documents state clearly that maneuvers contrary to the TCAS advisories are prohibited, 
the Tupolev operating manual was ambiguous in this regard and in some parts identified air traffic 
control as the highest priority for collision avoidance. 

7 s later... The controller repeated the instruction for the Tupolev to descend because the first instruction was 
and may have viewed it as confirmation that they were responding as intended. The Tupolev then 
increased its rate of descent. 
renewed to show its new flight level. 

7 s later... TCAS on the Boeing advised the crew to increase descent: “increase descent, increase descent.” 
The rate of descent was subsequently increased. 

9 s later... 
this message as he was receiving a call from the A320 on the other frequency at the time. 

5 s later... 

The copilot commented: “It says ‘climb’!” 
3 s later... The control column on the Tupolev was pulled back and thrust levers were then pushed forward. 
5 s later... The two aircraft collided (see Figure 2). 


Notes. ATC = air traffic control; ICAO = International Civil Aviation Organization; STCA = short-term conflict alert. 

“The traffic alert and collision avoidance system (TCAS) is an automated warning system designed as a last defense against midair 
collisions. The TCAS transponder on an aircraft monitors the surrounding airspace and tracks other aircraft to calculate possible 
airborne conflicts. When TCAS detects a threat situation between two aircraft fitted with the technology, it issues simultaneous, 
complementary advisories to the affected flight crew, that is, one is advised to climb and the other to descend. 


remoteness from the accident (Branford et al., 2009), with 
the immediate precursors at the bottom and those that are 
more remote (in time and proximity), in the higher levels. 
The arrows in the AcciMap illustrate the causal relation- 
ships between these factors and how they combined to 
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produce the outcome. An arrow from one factor to another 
indicates that the first was necessary for the second to occur 
(Branford et al., 2009). In this way, following the arrows 
upward in the diagram uncovers why each of the factors 
emerged. For instance, by following the chain of shaded 
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Tupolev TU154M 
Heading = 274° 


Boeing B757-200 
Heading = 004° 


Figure 2. A reconstruction of the paths of the two aircraft 
at the point of collision. Reprinted from “Investigation 
Report AX001-1-2/02,” by BFU (2004). Copyright 2004 
BFU. Reprinted with permission. 


boxes illustrated in Figure 3, it is evident that the accident 
occurred, in part, because the controller did not detect the 
impending conflict situation in time. This was, in turn, the 
result of several factors, one being that his time and attention 
was focused on the delayed A320. This situation was partly 
due to the fact that the controller did not seek help, which 
was, in turn, a result of his misjudgment of the system status 
and workload requirements. This factor was the result of 
organizational deficiencies at ACC Zurich relating to train- 
ing, documentation, and briefings on handling unusual situ- 
ations and system degradation, which was, in turn, a result 
of more general risk management deficiencies at ACC 
Zurich. By examining the causal relationships in this way, 
it is possible to understand how each factor contributed to 
the outcome and that, “had any one factor been otherwise, 
the accident would most likely have been avoided” (Bran- 
ford et al., 2009, pp. 202-203). 


AcciMap Advantages 


There are several advantages to adopting the AcciMap 
approach. First, it has the capacity to take the big picture into 
account, identifying factors from within the organization(s) 
involved as well as other interrelated bodies. The Uberlin- 
gen example in Figure 3 depicts contributing factors stem- 
ming from interactions between the different levels of the 
system (e.g., the breakdown of communication and informa- 
tion within ACC Zurich), as well as those stemming from 
interactions between separate organizations (e.g., those 
between the Boeing and Tupolev operators and ACC 
Zurich). These interrelationships are difficult to model using 
techniques that do not extend beyond organizational bound- 
aries. Yet their inclusion is important since, as Dulac and 
Leveson (2004) suggest, it is in these “boundary areas” or 
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“overlapping areas of control” that accidents most often 
occur. 

The AcciMap format also distils large quantities of infor- 
mation about the contributing factors and their interrelation- 
ships into a single diagram. Figure 3 shows, for instance, 
that the fact that a single controller was covering two work- 
stations and frequencies was the result of five separate fac- 
tors and that it contributed to the outcome in two ways: by 
preventing the controller from detecting the conflict situation 
in time and by preventing him from knowing that the 
Boeing was descending. Describing all of the factors and 
interrelationships in text would take multiple pages and be 
difficult to follow. Compiling the information in this way 
makes the factors and interactions that resulted in the 
outcome clear and assists in conveying the information in 
a succinct way (Branford et al., 2009). 

This approach also places the events that finally 
“released” the accident into the necessary context for under- 
standing how and why the accident occurred. The provision 
of this contextual detail helps to avoid unfairly blaming the 
front-line operators, because it provides the background of 
how their activities came about and how these actions were 
able to “release” an accident. In the Uberlingen example, it 
would be easy to blame the controller for the accident, as he 
did not notice that two aircraft under his control (one carry- 
ing numerous Russian schoolchildren) were converging on a 
collision course until too late, and then instructed the Tupo- 
lev to descend when the conflicting aircraft was also 
descending. Tragically, this view was taken by a grieving 
relative who, after losing his wife and children in the colli- 
sion, stabbed the controller to death in 2004. Regrettably, 
there was some local public support for his action among 
the Russian community that lost the schoolchildren: The 
killer was “treated as a national hero” and was appointed 
to a ministerial position in his home region after serving a 
prison term of less than 4 years in Switzerland (Franchetti, 
2008). However, the AcciMap shows that the controller’s 
behavior did not take place in a vacuum. He was operating 
with degraded radar capability and without a functioning 
telephone system, and was dealing with an unexpected air- 
craft arrival which, due to the telephone fault, occupied a 
significant amount of his attention. He was also the only 
controller in the control room at the time, in accordance with 
normal practice, and was working on two workstations and 
frequencies on simultaneous tasks. In addition, system 
defenses that could have alerted him to an impending con- 
flict in time to resolve the situation (such as the visual STCA 
and communications from adjacent ATC centers) were, 
unknown to him, nonfunctional at the time. The system 
defenses were degraded to the point where, unbeknownst 
to the controller, he was one decision, oversight, or misjudg- 
ment away from catastrophe. 

Finally, this big-picture approach can be useful for deter- 
mining where corrective actions should be directed. As dis- 
cussed by Branford et al. (2009), the approach enables 
analysts to identify high-level factors relating to organiza- 
tional, governmental, regulatory, and international practices 
that can be addressed to make lasting improvements to sys- 
tem safety. In addition, because the effects of dysfunctional 
integration, coordination, and communication within and 
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OUTCOMES 


Collision between descending Tupolev 
TU154M and descending Boeing B757-200 


| 


71 fatalities, both aircraft destroyed 


Figure 3. An AcciMap of the Überlingen midair collision. ACC = area control center; ATC = air traffic control; ATCO = 
air traffic controller; STCA = short-term conflict alert; TCAS = traffic alert and collision avoidance system; UAC = upper 


area control. 
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between organizations are depicted in the AcciMap, these 
can be identified and addressed through safety recommenda- 
tions. For instance, recommendations derived from the Ac- 
ciMap in Figure 3 would focus on the organizational 
deficiencies within ACC Zurich and the Tupolev operator, 
as well as the communication deficiencies between ATC 
centers and between international and national bodies and 
aircraft operators regarding the use of TCAS. 


Conclusion 


This article described the application of Rasmussen’s Acci- 
Map approach to the Uberlingen midair collision of 2002 to 
illustrate the features and benefits of this big-picture 
approach. The application highlighted the capacity of this 
technique to incorporate factors stemming both from within 
the organizations involved in the midair collision and from 
the dysfunctional interactions between them — a capacity 
that must be met in order to adequately model and under- 
stand complex systemic accidents. The benefits of the 
approach in distilling the complex relationships that contrib- 
uted to an event into a single, coherent diagram, for illustrat- 
ing the broader sociotechnical context in which the event 
unfolds, and for promoting high-level safety recommenda- 
tions were also discussed. 
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